openclaw-bootstrap/docker-compose.yml at main · nineunderground/openclaw-bootstrap · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
services:
  openclaw:
    build: .
    container_name: openclaw-agent-service
    restart: unless-stopped
    ports:
      - "${OPENCLAW_PORT:-4001}:${OPENCLAW_PORT:-4001}"
    environment:
      # Required
      - ANTHROPIC_API_KEY=${ANTHROPIC_API_KEY}

      # Gateway settings
      - OPENCLAW_GATEWAY_PORT=${OPENCLAW_PORT:-4001}
      - OPENCLAW_GATEWAY_TOKEN=${OPENCLAW_GATEWAY_TOKEN:-}

      # Optional: Telegram
      - TELEGRAM_BOT_TOKEN=${TELEGRAM_BOT_TOKEN:-}
      - TELEGRAM_ALLOWED_USERS=${TELEGRAM_ALLOWED_USERS:-}

      # Optional: Regenerate config on startup
      - OPENCLAW_REGENERATE_CONFIG=${OPENCLAW_REGENERATE_CONFIG:-}
    volumes:
      # Persist workspace and state
      - openclaw-data:/root/clawd
      - openclaw-config:/root/.openclaw
      # Optional: Mount custom config
      # - ./config:/config:ro
    networks:
      - openclaw-net
    healthcheck:
      test: [ "CMD", "curl", "-f", "http://localhost:${OPENCLAW_PORT:-4001}/health" ]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 10s

  oauth2-proxy:
    image: quay.io/oauth2-proxy/oauth2-proxy:latest
    container_name: openclaw-proxy
    restart: unless-stopped
    ports:
      - "${OAUTH2_PROXY_PORT:-4180}:4180"
    environment:
      - OAUTH2_PROXY_PROVIDER=github
      - OAUTH2_PROXY_CLIENT_ID=${GITHUB_CLIENT_ID}
      - OAUTH2_PROXY_CLIENT_SECRET=${GITHUB_CLIENT_SECRET}
      - OAUTH2_PROXY_COOKIE_SECRET=${OAUTH2_COOKIE_SECRET}
      - OAUTH2_PROXY_COOKIE_SECURE=true
      - OAUTH2_PROXY_COOKIE_HTTPONLY=true
      - OAUTH2_PROXY_COOKIE_SAMESITE=lax
      - OAUTH2_PROXY_HTTP_ADDRESS=0.0.0.0:4180
      - OAUTH2_PROXY_REDIRECT_URL=${OAUTH2_REDIRECT_URL:-https://<VALID-DOMAIN-HERE>/oauth2/callback}
      - OAUTH2_PROXY_AUTHENTICATED_EMAILS_FILE=/etc/oauth2-proxy/allowed-emails.txt
      - OAUTH2_PROXY_GITHUB_USER=${GITHUB_ALLOWED_USER:-}
      - OAUTH2_PROXY_GITHUB_ORG=${GITHUB_ALLOWED_ORG:-}
      - OAUTH2_PROXY_GITHUB_TEAM=${GITHUB_ALLOWED_TEAM:-}
      - OAUTH2_PROXY_SKIP_PROVIDER_BUTTON=true
      - OAUTH2_PROXY_PASS_HOST_HEADER=true
      - OAUTH2_PROXY_PASS_ACCESS_TOKEN=true
      - OAUTH2_PROXY_SET_XAUTHREQUEST=true
      - OAUTH2_PROXY_PROXY_WEBSOCKETS=true
      - OAUTH2_PROXY_UPSTREAMS=http://openclaw-agent-service:${OPENCLAW_PORT:-4001}/
    volumes:
      - ./allowed-emails.txt:/etc/oauth2-proxy/allowed-emails.txt:ro
    networks:
      - openclaw-net
    depends_on:
      openclaw:
        condition: service_healthy
    profiles:
      - oauth2

volumes:
  openclaw-data:
  openclaw-config:


networks:
  openclaw-net:
    driver: bridge